I've recently signed up for Fusion service with a block of static IPs, but I'm still unable to use switch over because of a problem that seems to be associated with ARP on my firewall. Briefly, my configuration is a Sonic-provided DSL modem in bridge mode connected to one port on my firewall, a Soekris box running m0n0wall. Three other subnets have hosts, printers, etc. (LAN, DMZ, and Wireless). Everything is NATed. Some of the hosts on the LAN and DMZ networks have static IP addresses, some do not; the static addresses are set up for 1:1 NAT and Proxy ARP between the WAN port on the firewall and the appropriate internal addresses. This configuration has worked well for me through two other ISPs, so I know it can work.
What I'm seeing is that the hosts with static IP addresses never make it into the ARP table. By sniffing the ethernet I can see an ECHO-REQUEST packet with the correct IP address come from the firewall (and presumably leave via the DSL line; both the IP address and the MAC address are correct) but I never see an ECHO-REPLY or an ARP WHO-HAS request come back. But if I ping from one of the non-static NATed addresses everything works fine.
It gets weirder. If I attach my laptop outside the firewall and use arping I can trick the DSLAM into thinking that my laptop is one of the other static addresses. Once that happens, a ping from the real host through the firewall does get a response — but of course it comes to my laptop, not the firewall, so it isn't very useful. I tried using –s to spoof the MAC address, but that doesn't work — it uses the MAC address from the ethernet header, not the one in the ARP packet.
So far Sonic's response has been either "ditch the firewall", which I consider to be irresponsible, or "it's not our problem", which isn't very useful. They don't seem to be willing to even look at the packet traces I've generated. Does anyone out there have any better ideas? I would really prefer not to have to return to Speakeasy, but at this point it looks like I'm being forced that way.
eric
What I'm seeing is that the hosts with static IP addresses never make it into the ARP table. By sniffing the ethernet I can see an ECHO-REQUEST packet with the correct IP address come from the firewall (and presumably leave via the DSL line; both the IP address and the MAC address are correct) but I never see an ECHO-REPLY or an ARP WHO-HAS request come back. But if I ping from one of the non-static NATed addresses everything works fine.
It gets weirder. If I attach my laptop outside the firewall and use arping I can trick the DSLAM into thinking that my laptop is one of the other static addresses. Once that happens, a ping from the real host through the firewall does get a response — but of course it comes to my laptop, not the firewall, so it isn't very useful. I tried using –s to spoof the MAC address, but that doesn't work — it uses the MAC address from the ethernet header, not the one in the ARP packet.
So far Sonic's response has been either "ditch the firewall", which I consider to be irresponsible, or "it's not our problem", which isn't very useful. They don't seem to be willing to even look at the packet traces I've generated. Does anyone out there have any better ideas? I would really prefer not to have to return to Speakeasy, but at this point it looks like I'm being forced that way.
eric